<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">


  <link rel="apple-touch-icon" sizes="180x180" href="/blog/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/blog/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/blog/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/blog/images/logo.svg" color="#222">

<link rel="stylesheet" href="/blog/css/main.css">



<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.2/css/all.min.css">
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/animate.css@3.1.1/animate.min.css">

<script class="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"littlefxc.github.io","root":"/blog/","images":"/blog/images","scheme":"Mist","version":"8.2.2","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12},"copycode":false,"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"fadeInDown","post_body":"fadeInDown","coll_header":"fadeInLeft","sidebar":"fadeInUp"}},"prism":false,"i18n":{"placeholder":"搜索...","empty":"没有找到任何搜索结果：${query}","hits_time":"找到 ${hits} 个搜索结果（用时 ${time} 毫秒）","hits":"找到 ${hits} 个搜索结果"},"path":"/blog/search.xml","localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false}};
  </script>
<meta name="description" content="1. 前言**从 Elastic Stack 6.8 和 7.1 开始，Elasticsearch在默认分发包中免费提供多项安全功能，例如 TLS 加密通信、基于角色的访问控制 (RBAC)**，等等。在本文中，我将会演示如何启用这些功能来确保您的 Elasticsearch 集群的安全。 实际演示中，我将会在两台centos7上各自创建一个一节点 Elasticsearch 集群并进行安全设置。">
<meta property="og:type" content="article">
<meta property="og:title" content="Elasticsearch 安全功能入门">
<meta property="og:url" content="http://littlefxc.github.io/2019/11/27/Elasticsearch-%E5%AE%89%E5%85%A8%E5%8A%9F%E8%83%BD%E5%85%A5%E9%97%A8/index.html">
<meta property="og:site_name" content="一年春又来">
<meta property="og:description" content="1. 前言**从 Elastic Stack 6.8 和 7.1 开始，Elasticsearch在默认分发包中免费提供多项安全功能，例如 TLS 加密通信、基于角色的访问控制 (RBAC)**，等等。在本文中，我将会演示如何启用这些功能来确保您的 Elasticsearch 集群的安全。 实际演示中，我将会在两台centos7上各自创建一个一节点 Elasticsearch 集群并进行安全设置。">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2019-11-27T01:46:37.000Z">
<meta property="article:modified_time" content="2021-03-25T13:15:48.949Z">
<meta property="article:author" content="一年春又来">
<meta property="article:tag" content="es">
<meta property="article:tag" content="安全">
<meta name="twitter:card" content="summary">


<link rel="canonical" href="http://littlefxc.github.io/2019/11/27/Elasticsearch-%E5%AE%89%E5%85%A8%E5%8A%9F%E8%83%BD%E5%85%A5%E9%97%A8/">


<script class="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>
<title>Elasticsearch 安全功能入门 | 一年春又来</title>
  




  <noscript>
  <style>
  body { margin-top: 2rem; }

  .use-motion .menu-item,
  .use-motion .sidebar,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header {
    visibility: visible;
  }

  .use-motion .header,
  .use-motion .site-brand-container .toggle,
  .use-motion .footer { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle,
  .use-motion .custom-logo-image {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line {
    transform: scaleX(1);
  }

  .search-pop-overlay, .sidebar-nav { display: none; }
  .sidebar-panel { display: block; }
  </style>
</noscript>

<link rel="alternate" href="/blog/atom.xml" title="一年春又来" type="application/atom+xml">
</head>

<body itemscope itemtype="http://schema.org/WebPage" class="use-motion">
  <div class="headband"></div>

  <main class="main">
    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏" role="button">
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
        <span class="toggle-line"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/blog/" class="brand" rel="start">
      <i class="logo-line"></i>
      <h1 class="site-title">一年春又来</h1>
      <i class="logo-line"></i>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>



<nav class="site-nav">
  <ul class="main-menu menu">
        <li class="menu-item menu-item-home"><a href="/blog/" rel="section"><i class="home                          //首页 fa-fw"></i>首页</a></li>
        <li class="menu-item menu-item-archives"><a href="/blog/archives/" rel="section"><i class="archive          //归档 fa-fw"></i>归档</a></li>
        <li class="menu-item menu-item-categories"><a href="/blog/categories/" rel="section"><i class="th           //分类 fa-fw"></i>分类</a></li>
        <li class="menu-item menu-item-tags"><a href="/blog/tags/" rel="section"><i class="tags                     //标签 fa-fw"></i>标签</a></li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup"><div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off" maxlength="80"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close" role="button">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div class="search-result-container no-result">
  <div class="search-result-icon">
    <i class="fa fa-spinner fa-pulse fa-5x"></i>
  </div>
</div>

    </div>
  </div>

</div>
        
  
  <div class="toggle sidebar-toggle" role="button">
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
    <span class="toggle-line"></span>
  </div>

  <aside class="sidebar">

    <div class="sidebar-inner sidebar-nav-active sidebar-toc-active">
      <ul class="sidebar-nav">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <div class="sidebar-panel-container">
        <!--noindex-->
        <div class="post-toc-wrap sidebar-panel">
            <div class="post-toc animated"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#1-%E5%89%8D%E8%A8%80"><span class="nav-text">1. 前言</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#2-%E5%AE%89%E8%A3%85-Elasticsearch-%E5%92%8C-Kibana"><span class="nav-text">2. 安装 Elasticsearch 和 Kibana</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#3-%E4%BC%A0%E8%BE%93%E5%B1%82%E9%85%8D%E7%BD%AE-TLS-%E5%92%8C%E8%BA%AB%E4%BB%BD%E9%AA%8C%E8%AF%81"><span class="nav-text">3. 传输层配置 TLS 和身份验证</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#3-1-%E5%9C%A8-Elasticsearch-%E4%B8%BB%E8%8A%82%E7%82%B9%E4%B8%8A%E9%85%8D%E7%BD%AE-TLS"><span class="nav-text">3.1. 在 Elasticsearch 主节点上配置 TLS</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#3-2-Elasticsearch-%E9%9B%86%E7%BE%A4%E5%AF%86%E7%A0%81"><span class="nav-text">3.2. Elasticsearch 集群密码</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#3-3-%E5%9C%A8%E4%BB%8E%E8%8A%82%E7%82%B9%E4%B8%8A%E9%85%8D%E7%BD%AE-TLS"><span class="nav-text">3.3. 在从节点上配置 TLS</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#3-4-%E5%9C%A8-Kibana-%E4%B8%AD%E5%AE%9E%E7%8E%B0%E5%AE%89%E5%85%A8%E6%80%A7"><span class="nav-text">3.4. 在 Kibana 中实现安全性</span></a></li></ol></li></ol></div>
        </div>
        <!--/noindex-->

        <div class="site-overview-wrap sidebar-panel">
          <div class="site-author site-overview-item animated" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">一年春又来</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap site-overview-item animated">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/blog/archives/">
        
          <span class="site-state-item-count">184</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/blog/categories/">
          
        <span class="site-state-item-count">35</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/blog/tags/">
          
        <span class="site-state-item-count">115</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



        </div>
      </div>
    </div>
  </aside>
  <div class="sidebar-dimmer"></div>


    </header>

    
  <div class="back-to-top" role="button">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>

<noscript>
  <div class="noscript-warning">Theme NexT works best with JavaScript enabled</div>
</noscript>


    <div class="main-inner post posts-expand">


  


<div class="post-block">
  
  

  <article itemscope itemtype="http://schema.org/Article" class="post-content" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://littlefxc.github.io/2019/11/27/Elasticsearch-%E5%AE%89%E5%85%A8%E5%8A%9F%E8%83%BD%E5%85%A5%E9%97%A8/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/blog/images/avatar.gif">
      <meta itemprop="name" content="一年春又来">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="一年春又来">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Elasticsearch 安全功能入门
        </h1>

        <div class="post-meta-container">
          <div class="post-meta">
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-calendar"></i>
      </span>
      <span class="post-meta-item-text">发表于</span>

      <time title="创建时间：2019-11-27 09:46:37" itemprop="dateCreated datePublished" datetime="2019-11-27T09:46:37+08:00">2019-11-27</time>
    </span>
      <span class="post-meta-item">
        <span class="post-meta-item-icon">
          <i class="far fa-calendar-check"></i>
        </span>
        <span class="post-meta-item-text">更新于</span>
        <time title="修改时间：2021-03-25 21:15:48" itemprop="dateModified" datetime="2021-03-25T21:15:48+08:00">2021-03-25</time>
      </span>
    <span class="post-meta-item">
      <span class="post-meta-item-icon">
        <i class="far fa-folder"></i>
      </span>
      <span class="post-meta-item-text">分类于</span>
        <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
          <a href="/blog/categories/ELK/" itemprop="url" rel="index"><span itemprop="name">ELK</span></a>
        </span>
    </span>

  
</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">
        <h1 id="1-前言"><a href="#1-前言" class="headerlink" title="1. 前言"></a>1. 前言</h1><p>**<a target="_blank" rel="noopener" href="https://www.elastic.co/cn/blog/security-for-elasticsearch-is-now-free">从 Elastic Stack 6.8 和 7.1 开始</a><strong>，Elasticsearch在默认分发包中免费提供多项安全功能，例如 <strong>TLS 加密通信</strong>、</strong>基于角色的访问控制 (RBAC)**，等等。在本文中，我将会演示如何启用这些功能来确保您的 Elasticsearch 集群的安全。</p>
<p>实际演示中，我将会在两台centos7上各自创建一个一节点 Elasticsearch 集群并进行安全设置。要实现这一点，我们首先需要在两个节点之间配置 TLS 通信。然后，我会为 Kibana 实例启用安全功能。再然后，我会在 Kibana 中配置基于角色的访问控制，从而确保用户只能看到他们获授权能够看到的内容。</p>
<p>尽管关于安全功能的运行过程还有很多内容，但现在我们仅会介绍入门所需知识。</p>
<h1 id="2-安装-Elasticsearch-和-Kibana"><a href="#2-安装-Elasticsearch-和-Kibana" class="headerlink" title="2. 安装 Elasticsearch 和 Kibana"></a>2. 安装 Elasticsearch 和 Kibana</h1><p>略</p>
<h1 id="3-传输层配置-TLS-和身份验证"><a href="#3-传输层配置-TLS-和身份验证" class="headerlink" title="3. 传输层配置 TLS 和身份验证"></a>3. 传输层配置 TLS 和身份验证</h1><h2 id="3-1-在-Elasticsearch-主节点上配置-TLS"><a href="#3-1-在-Elasticsearch-主节点上配置-TLS" class="headerlink" title="3.1. 在 Elasticsearch 主节点上配置 TLS"></a>3.1. 在 Elasticsearch 主节点上配置 TLS</h2><p>我要做的第一件事是生成证书，通过这些证书便能允许节点安全地通信。您可以使用企业 CA 来完成这一步骤，但是在此演示中，我将会使用一个名为 elasticsearch-certutil 的命令，通过这一命令，就无需担心证书通常带来的任何困扰，便能完成这一步。</p>
<pre><code>bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass &quot;&quot;
</code></pre>
<p>如果您使用密码保护了节点证书的安全，请将密码添加到您的Elasticsearch密钥库中：</p>
<pre><code>bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass &quot;testpassword&quot;

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
</code></pre>
<p>接下来，使用您最常用的文本编辑器打开文件 <code>config/elasticsearch.yaml</code>。将下列代码行粘贴到文件末尾。</p>
<pre><code>xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
</code></pre>
<p>保存文件，现在我们便可以启动主节点了。运行命令 bin/elasticsearch。这一可执行文件必须保持运行，现在可以将此终端放在一边。</p>
<h2 id="3-2-Elasticsearch-集群密码"><a href="#3-2-Elasticsearch-集群密码" class="headerlink" title="3.2. Elasticsearch 集群密码"></a>3.2. Elasticsearch 集群密码</h2><p><a target="_blank" rel="noopener" href="https://www.elastic.co/guide/en/elasticsearch/reference/7.1/setup-passwords.html"><code>elasticsearch-setup-passwords</code> 官方文档</a></p>
<p>注意：<code>elasticsearch-setup-passwords</code> 这个命令只能使用一次。</p>
<pre><code># 生成随机密码
bin/elasticsearch-setup-passwords auto

# 手动定义密码（建议使用）
bin/elasticsearch-setup-passwords interactive
</code></pre>
<p>但是如果完全忘记了 Elasticsearch 的超级用户的密码，请看</p>
<p><a target="_blank" rel="noopener" href="https://www.notion.so/a9cab5834874407681edc7b573730e0d">Elasticsearch 7.1 重置超级用户的密码</a></p>
<h2 id="3-3-在从节点上配置-TLS"><a href="#3-3-在从节点上配置-TLS" class="headerlink" title="3.3. 在从节点上配置 TLS"></a>3.3. 在从节点上配置 TLS</h2><p>复制证书文件，然后将 <strong>xpack.security.</strong>* 键设置为与主节点一模一样。然后通过运行 <code>bin/elasticsearch</code> 来启动节点。我们将看到其加入集群。而且，如果看一下主节点的终端窗口，我们会看到有一条消息显示已有一个节点加入集群。现在，我们的两节点集群便开始运行了。</p>
<h2 id="3-4-在-Kibana-中实现安全性"><a href="#3-4-在-Kibana-中实现安全性" class="headerlink" title="3.4. 在 Kibana 中实现安全性"></a>3.4. 在 Kibana 中实现安全性</h2><p>在 <code>kibana</code> 安装目录中编辑 <code>config/kibana.yml</code>到类似下面的代码行</p>
<pre><code>#elasticsearch.username: &quot;kibana&quot;
#elasticsearch.password: &quot;testpassword&quot;
</code></pre>
<p>对 <code>username</code> 和 <code>password</code> 字段取消注释，方法是删除代码行起始部分的 <code>#</code> 符号。将 “user” 更改为 “kibana”，然后将 “pass” 更改为 <code>setup-passwords</code> 命令告诉我们的任何 Kibana 密码。保存文件，然后我们便可通过运行 bin/kibana 启动 Kibana 了。</p>

    </div>

    
    
    

    <footer class="post-footer">
          <div class="post-tags">
              <a href="/blog/tags/es/" rel="tag"># es</a>
              <a href="/blog/tags/%E5%AE%89%E5%85%A8/" rel="tag"># 安全</a>
          </div>

        

          <div class="post-nav">
            <div class="post-nav-item">
                <a href="/blog/2019/11/27/ElasticSearch-%E5%AE%89%E8%A3%85%E4%B8%AD%E6%96%87%E5%88%86%E8%AF%8D%E6%8F%92%E4%BB%B6/" rel="prev" title="ElasticSearch 安装中文分词插件">
                  <i class="fa fa-chevron-left"></i> ElasticSearch 安装中文分词插件
                </a>
            </div>
            <div class="post-nav-item">
                <a href="/blog/2019/11/27/%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E4%B8%8E%E9%AD%94%E6%95%B0/" rel="next" title="文件上传与魔数">
                  文件上传与魔数 <i class="fa fa-chevron-right"></i>
                </a>
            </div>
          </div>
    </footer>
  </article>
</div>







<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      const activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      const commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>
</div>
  </main>

  <footer class="footer">
    <div class="footer-inner">


<div class="copyright">
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">一年春又来</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.js.org/mist/" class="theme-link" rel="noopener" target="_blank">NexT.Mist</a> 强力驱动
  </div>

    </div>
  </footer>

  
  <script src="https://cdn.jsdelivr.net/npm/animejs@3.2.1/lib/anime.min.js"></script>
<script src="/blog/js/utils.js"></script><script src="/blog/js/motion.js"></script><script src="/blog/js/schemes/muse.js"></script><script src="/blog/js/next-boot.js"></script>

  
<script src="/blog/js/local-search.js"></script>






  





</body>
</html>
